Search

Libreboot on an X60, Part I: the Setup

Recently I wrote a review for the Linux Journal Web
site on the Purism Librem 15 laptop. The goal of this laptop is to provide a piece of modern hardware that
can run 100% free software not just for the OS, but also all device drivers
and firmware up to and including the BIOS. At the time I'm writing this, the
last major sticking point along those lines for the project is the Intel
Management Engine: a proprietary piece of firmware that is required to boot
up modern systems. In that review, I wrote the following:

It turns out it's rather difficult to have a fully free software laptop.
Even if you can pick hardware that can use free software drivers, there's
still that pesky BIOS. While coreboot and libreboot are great free software
BIOS implementations, to get it on many laptops requires hardware BIOS chip
flashing with pomona clips—the kind of thing I wasn't ready to brick a
laptop to try. Like other privacy advocates, I turned to the old ThinkPad
X60 laptop series. While it's old, underpowered and has a low-res screen
by today's standards, the keyboard is great and more important, you could
flash its BIOS with coreboot or libreboot from within Linux itself—no
hardware hacking required. So that's what I did.

Although the Purism 15 laptop seems to be a viable choice for those who want a
free software laptop, at the time of this writing, the crowdfunding campaign
is still in process, and even after it completes, it will take some time
until they ship. Plus, a new laptop like that doesn't come cheap, and many
people who may want a laptop that runs 100% free software may not have
$1,600+ to spend on it. I've been able to find used ThinkPad X60 laptops on
auction sites as cheap as $30, so if you are willing to live with some of
the limitations of hardware that old, it is an inexpensive route to a
decent machine that runs only free software.

The first time I attempted to flash an X60 with coreboot, it was one of the
more difficult things I'd done with Linux to the point that I wasn't ever
planning on writing it up in Linux Journal. More
recently, I tried again,
only this time with Libreboot—a coreboot BIOS distribution that has all of
the proprietary software removed. The process was greatly simplified and
automated to the point where I feel relatively comfortable recommending others
try it (with a few caveats I'll explain later).

In my next couple articles, I'm going to walk through the journey
that brought me to the X60 running Libreboot that I'm using to type this
column. In this first part, I discuss the setup, including what
Libreboot is, what hardware it currently supports and some of the risks
around flashing your BIOS. If I haven't scared you off by the end of this
article, in future articles, I'll cover how to download Libreboot and verify
its integrity, how to flash the BIOS itself in detail with sample script
output and how to modify the default GRUB bootloader. If you can't wait
until next month, a lot of my process is based on the excellent guide
provided at
https://github.com/bibanon/Coreboot-ThinkPads/wiki/ThinkPad-X60.

Free as in BIOS

To understand Libreboot, it helps to understand coreboot first. Coreboot is
an open-source BIOS replacement. With coreboot, you can replace a
proprietary BIOS with open-source software on supported hardware with a
minimal amount of proprietary firmware included to support things like
video hardware in the BIOS or the Intel Management Engine on newer
hardware. Coreboot doesn't currently support all hardware out there,
although the list continues to grow, and you might be surprised to know that
Chromebooks ship with coreboot by default. To install coreboot on much of
the supported hardware, you must use external hardware including a connector
like an 8-pin Pomona clip to reflash the BIOS chip. That's pretty intense
for a lot of people, but fortunately, some hardware including the X60, X60s,
X60 tablet and T60 can be flashed completely in software.

When I first attempted to flash an X60 with coreboot a few months ago, the
process involved disassembling the laptop to inspect the underside of the
motherboard with a magnifying glass so I could determine which of two BIOS
chip types I had. I used that information to hand-patch the flashrom
software with custom code and compiled a special version just to unlock my
BIOS. Then I downloaded, configured and compiled a custom coreboot BIOS
image for my laptop and went through a two-phase flash. In the end, I got it
working; however, I needed to strip out and include the proprietary video
firmware from my proprietary BIOS to get any video at boot time—useful
when you want to select between hard drive and USB boot.

Libreboot is a custom distribution of coreboot that removes all proprietary
software from the BIOS. Instead of proprietary BIOS boot selector, for
instance, Libreboot boots straight into its own GRUB menu that you can use to
load your own underlying OS. In addition, Libreboot has automated a lot of the
difficult processes around installing coreboot and provides custom scripts
and pre-build ROMs for its officially supported hardware.

But, why would you want a free software BIOS? For those who fully support
the Free Software Foundation and the principles of free software, you don't
need any further justification. Although I have traditionally taken a more
pragmatic approach to the free vs. open-source software debate, I've
recently been more motivated to seek out free software whenever I can find
it as I explain in my Librem 15 review:

In the past, I didn't care all that much if I had to use a binary blob to
get a wireless card or video card working as long as it worked, and I
definitely never cared that my BIOS was proprietary software.

Then the Snowden leaks happened. The sheer depth and breadth of the loss of
privacy motivated me to step up my game in terms of overall security and
focus on privacy. In the past it would seem rather paranoid to think that
there might be some sort of NSA-sanctioned spyware in a binary blob,
firmware, or the BIOS. After the Snowden leaks and the subsequent
disclosures about the ANT catalog, these things stopped seeming so
far-fetched. I found myself leaning more toward the Stallman camp. One of
the only ways to be truly sure that you don't have a backdoor on your
system is to be able to see the source code for all of it from the browser
plugins to the kernel drivers all the way to the BIOS.

Supported Hardware

Due to the fact that Libreboot avoids any proprietary firmware in the BIOS,
its hardware support is somewhat limited. Among other reasons, this is due
to the fact that modern Intel hardware requires the proprietary Intel
Management Engine firmware even to boot. Although you may be able to get
Libreboot to work on other hardware, at this point, only a few laptops are
listed on its hardware compatibility list as officially supported:

Lenovo ThinkPad X60/X60s

Lenovo ThinkPad X60 Tablet

Lenovo ThinkPad T60

Apple MacBook1,1

Apple MacBook2,1

You may find one major thing in common with all the laptops on this list:
they are old. In most cases, we are talking about 32-bit Intel Core Duo
processors or 64-bit Core 2 Duos in some cases (and the T60's CPU can be
replaced with a 64-bit CPU apparently). That said, the X60 is a decent
piece of hardware with a solid keyboard and decent battery life, even if the
CPU is slow and the screen resolution is low by today's standards.

Even on this list of supported hardware there are some exceptions. Although
all X60s are supported, only T60s that use Intel GPUs are supported, and
those with ATI GPUs are not. The Libreboot hardware compatibility page
has more information to help you figure out what's supported and what
isn't. The page also lists recommended Wi-Fi chipsets that are known to work
well with Libreboot and Linux in general, as they don't require any
proprietary binary blobs to function.

Risky Business

If it doesn't already go without saying, reflashing the BIOS on your laptop
with custom software is risky! Although I've had success so far
flashing a couple different X60s, I did temporarily brick one laptop
when I got fancy and tried an initial flash with one of my own custom ROMs
instead of one provided by Libreboot. For the most part, the process is
straightforward and automated, but as you'll see in my follow-up article
that describes each step, many of the automated scripts call other software
that output some pretty scary warnings and errors during the process that
you are supposed to ignore.

There are two primary ways you can brick your laptop during the process.
First, you could have a bad flash during the initial bootstrapping flash
phase. If that happens but you were using one of the Libreboot-supplied
ROMs, all you should have to do is shut off the machine, unplug the CMOS
battery for a few seconds, reconnect it and power on your machine to get
back to the original BIOS.

If you flash during the initial bootstrapping phase with a custom ROM like
I tried one time, lose power during the process, attempt this on
incompatible hardware or otherwise encounter a worst-case scenario, you
could end up with a completely unbootable machine. Because you can't boot
back to your OS, you can't attempt to reflash, so you are stuck with a
bricked laptop unless you buy hardware that can flash your BIOS chip, such
as a BusPirate or a Raspberry Pi running custom software. That said, if you
have that hardware, wire it properly and you remembered to back up your
original BIOS first, you should be able to restore your laptop to normal.

Although so far I've been successful when I've stuck strictly to the
directions, there is still a possibility you will brick your laptop, so if
you are particularly attached to your laptop and can't risk it being out of
service while you acquire hardware flashing tools, you may want to
reconsider going down this road. Again, you can get used X60s relatively
cheap on-line if you shop around, so if you are concerned, you may want to try
this first with a sacrificial machine.

Conclusion

Well, if I haven't scared you off yet, I hope you check out my next column
in this series where I jump right into step-by-step instructions on how to
flash an X60 with Libreboot. Although the process isn't quite as simple as
updating a traditional proprietary BIOS and requires a number of unusual
steps, most of the hard work already has been done for you, and in the end
you'll have a trusted machine without any proprietary firmware.

Kyle Rankin is a Tech Editor and columnist at Linux Journal and the Chief Security Officer at Purism. He is the author of Linux Hardening in Hostile Networks, DevOps Troubleshooting, The Official Ubuntu Server Book, Knoppix Hacks, Knoppix Pocket Reference, Linux Multimedia
Hacks and Ubuntu Hacks, and also a contributor to a number of other O'Reilly books. Rankin speaks frequently on security and open-source software including at
BsidesLV, O'Reilly Security Conference, OSCON, SCALE, CactusCon, Linux World Expo and Penguicon. You can follow him at @kylerankin.